From owner-freebsd-pf@FreeBSD.ORG Tue Feb 13 20:36:54 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id E86B416A400 for ; Tue, 13 Feb 2007 20:36:54 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from ca.pugetsoundtechnology.com (ca.pugetsoundtechnology.com [38.99.2.247]) by mx1.freebsd.org (Postfix) with ESMTP id DE38613C481 for ; Tue, 13 Feb 2007 20:36:54 +0000 (UTC) (envelope-from reed@reedmedia.net) Received: from pool-71-123-204-253.dllstx.fios.verizon.net ([71.123.204.253] helo=reedmedia.net) by ca.pugetsoundtechnology.com with esmtpa (Exim 4.54) id 1HH3w0-0000c0-LV for freebsd-pf@freebsd.org; Tue, 13 Feb 2007 12:07:28 -0800 Received: from reed@reedmedia.net by reedmedia.net with local (mailout 0.17) id 1088-1171397256; Tue, 13 Feb 2007 14:07:39 -0600 Date: Tue, 13 Feb 2007 14:07:36 -0600 (CST) From: "Jeremy C. Reed" To: freebsd-pf@freebsd.org In-Reply-To: <45D1B27B.5615.291E28A7@dan.langille.org> Message-ID: References: <45CDED58.2056.1A642A00@dan.langille.org>, <200702131321.18333.max@love2party.net> <45D1B27B.5615.291E28A7@dan.langille.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: pf starts, but no rules X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Feb 2007 20:36:55 -0000 > > One possible sollution that has been suggested would be to use a simple > > deny all but ssh/dns ruleset in the first stage and load the real ruleset > > once all interfaces are there and the resolver is working. I'm willing > > to commit patches, though this is probably something best discussed on > > freebsd-rc@ By the way, NetBSD and OpenBSD do that. NetBSD has an /etc/rc.d/pf_boot that is BEFORE network that loads the /etc/pf.boot.conf (if exists) or /etc/defaults/pf.boot.conf which contains: # Default deny. block all # Don't block loopback. pass on lo0 # Allow outgoing dns, needed by pfctl to resolve names. pass out proto { tcp, udp } from any to any port 53 keep state # Allow outgoing ping request, might be needed by dhclient to validate # old (but valid) leases in /var/db/dhclient.leases in case it needs to # fall back to such a lease (the dhcp server can be down or not responding). pass out inet proto icmp all icmp-type echoreq keep state # Allow IPv6 router/neighbor solicitation and advertisement. pass out inet6 proto icmp6 all icmp6-type neighbrsol pass in inet6 proto icmp6 all icmp6-type neighbradv pass out inet6 proto icmp6 all icmp6-type routersol pass in inet6 proto icmp6 all icmp6-type routeradv The regular /etc/rc.d/pf requires networking to be done first. On OpenBSD, it loads rules like: block all pass on lo0 pass in proto tcp from any to any port 22 keep state pass out proto { tcp, udp } from any to any port 53 keep state pass out inet proto icmp all icmp-type echoreq keep state pass out inet6 proto icmp6 all icmp6-type neighbrsol pass in inet6 proto icmp6 all icmp6-type neighbradv pass out inet6 proto icmp6 all icmp6-type routersol pass in inet6 proto icmp6 all icmp6-type routeradv pass proto { pfsync, carp } scrub in all no-df pass in proto udp from any port { 111, 2049 } to any pass out proto udp from any to any port { 111, 2049 } (Note it only loads some of these if the inet6 and if NFS is enabled.) Jeremy C. Reed